Verifying and testing that the claimed identity is correct and valid is known as the process of authentication. In order to authenticate, the subject must present additional information that should be exactly the same as the identity established earlier. A password is one of the most common types of mechanism used for authentication.
The following are some of the factors that are often used for authentication:
- Something you know: The something you know factor is the most common factor used for authentication. For example, a password or a simple personal identification number (PIN). However, it is also the easiest to compromise.
- Something you have: The something you have factor refers to items such as smart cards or physical security tokens.
- Something you are: The something you are factor refers to using your biometric properties for the process of authentication. For example, using fingerprint or retina scans for authentication.
Identification and authentication are always used together as a single two-step process.
Providing an identity is the first step, and providing the authentication factor(s) is the second step. Without both, a subject cannot gain access to a system. Neither element alone is useful in terms of security.
Common attacks on authentication include:
- Brute force: A brute force attack involves trying all possible permutations and combinations of a particular character set in order to get the correct password
- Insufficient authentication: Single-factor authentication with a weak password policy makes applications and systems vulnerable to password attacks
- Weak password recovery validation: This includes insufficient validation of password recovery mechanisms, such as security questions, OTP, and so on